ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen.
References
Link | Resource |
---|---|
https://gist.github.com/vin01/26a8bb13233acd9425e7575a7ad4c936 | Exploit Third Party Advisory |
https://github.com/thingsboard/thingsboard/commits/master | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-12-18T18:27:23
Updated: 2020-12-18T18:27:23
Reserved: 2020-10-23T00:00:00
Link: CVE-2020-27687
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-12-18T19:15:14.767
Modified: 2021-07-21T11:39:23.747
Link: CVE-2020-27687
JSON object: View
Redhat Information
No data.